Zentyal As A Gateway: The Perfect Setup - Page 2

3.3. Failover

Zentyal Server can do failover on gateways. If one of the gateways fails it will be detected and traffic will go through the other one. This guarantees balanced Internet connection (unless both links fail at the same time).

In order to configure failover, Events module must be enabled (in Module Status). You also need to enable WAN Failover in the Events section. Finally, you should add connectivity check rules. Failover event will use them to detect broken link status (Network -> WAN Failover):

Ping to gateway checks if the gateway is up, not the Internet connection itself, ping to an external host also tests for connectivity in a fast way, DNS resolution test is a little slower but it also checks DNS resolution, and the last one, HTTP request will do a complete request to a webpage, it's more complete but also slower.

With this configuration Zentyal will ping 8.8.8.8 each 30 seconds. If two or more pings fail for a gateway it will be deactivated. If the gateway recovers it will be enabled again. None of these events will affect end users' connectivity. It's important to set up a correct time between tests, calculating max test duration times. In this case we have six ping x two gateways, which should be done in less than 30 seconds.

 

3.4. Basic infrastructure

In order to provide a basic infrastructure for the internal network you need to install DNS and DHCP modules using Software Management -> Zentyal Components section.

Now you have to enable these components in Module Status. DNS will act as a caching server, so you can configure Network -> DNS to 127.0.0.1 to make Zentyal use it (if you set up more than one DNS server 127.0.0.1 should be the first one):

DHCP can also be configured to serve in the internal network: it will automatically configure clients to use Zentyal as a gateway and DNS. You only have to add a default range of IPs you want for the clients, 10.0.0.20-10.0.100 in this case:

 

4. Firewall

At this point you have a working network, with all the necessary basic networking infrastructure. Now, let's take a look to Zentyal's Firewall and how to configure it.

Zentyal is secure by default, by default firewall applies strict rules on the external interfaces and allows outgoing traffic from internal LAN. You can find the configured rules in Firewall -> Packet Filter:

  • Filtering rules from internal networks to Zentyal
  • Filtering rules for internal networks
  • Filtering rules for traffic coming out from Zentyal
  • Filtering rules from external networks to Zentyal
  • Filtering rules from external networks to internal networks
  • Rules added by Zentyal services (Advanced)

All these tables forbid connections by default, if you want to allow some kind of connection you need to create a new rule for this (rules are applied in order). Here are some common examples:

Allow internal clients to use some services except LDAP:

Allow all traffic from clients to the Internet:

 

5. HTTP Proxy

The last step of this tutorial is the HTTP Proxy setup. Zentyal's HTTP Proxy will cache users Web navigation truly decreasing bandwidth usage and it will also filter content, disallowing banned sites or content types.

From HTTP Proxy -> General you can configure the HTTP Proxy as transparent, so clients browsers don't need to be reconfigured, HTTP requests (port 80) will automatically be redirected through the proxy. You can also increase cache size depending on your hardware and usage.

Finally, you can add a URL to cache exceptions, so the proxy will never cache it. This is useful if you need to access the webpage always in its latest version.

Setting Filter as default policy will enforce the request to go through the content filter. Now you can configure it to allow and disallow your desired pages. In HTTP Proxy -> Filter Profiles menu you will find defined filtering profiles. You can configure the default one, which will apply to all users.

In addition, here you can configure content filter threshold and add banned domain lists. Also, if you install antivirus module the proxy will use it to filter virus downloads.

As you can see you have blocked facebook.com (just as example) but have in mind that HTTP Proxy only filters HTTP on port 80. In this case users can still reach HTTPS version of the page, so we also create a firewall rule blocking that traffic. You will need an object (Objects menu) containing facebook.com address pool:

If it doesn't exist you also create a new service to match the desired traffic. In this case HTTPS (TCP with destination port 443):

Finally you can add the firewall rule for internal networks blocking traffic matching your new object and service as destination:

 

6. Conclusions

We have fully configured Zentyal Server as a gateway with load balancing, failover and HTTP proxy cache. Zentyal will be also in charge of basic infrastructure serving DHCP and DNS.

 

About

Zentyal, the Linux Small Business Server, offers small and medium businesses an enterprise-level, affordable and easy-to-use network infrastructure. By using Zentyal server, SMBs are able to improve the reliability and security of their computer network and to reduce their IT investments and operational costs. Zentyal server development was started in early 2004 and currently it is the open source alternative to Windows Small Business Server. Zentyal is all-in-one server that can act as a Network Gateway, Unified Threat Manager (UTM), Office Server, Infrastructure Manager, Unified Communications Server or a combination of them. Zentyal server is widely used in the small and medium businesses regardless of sector, industry or location as well as in the public administrations or in the education sector. It is estimated that there are over 50,000 active Zentyal installations all over the globe.

The author, Carlos Pérez-Aradros Herce (aka exekias), works as Zentyal Server and Zentyal Cloud developer.

Share this page:

3 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Stuart Naylor
Reply  

Zentyal represents at least 2 years wasted of professional endeavour. Chosen because of my favourite distro Ubuntu. I am currently having a major pissy fit as all that experience is basically been flushed down the loo. I have had so many run in with the council and commercial body of Zentyal that is doesn't matter that it doesn't work. It doesn't matter 2.2 the fall back is pulling in 3.0 repo items.

It doesn't matter there has a history of botches and errors. Modules such as LTSP have directives in the build script whilst they should be .conf scripts for fat clients to work. School boy stuff really.

What matters is the constant denial and the knowledge of this makes me bloody angry. Irrespective of any fixes I know I am never going to be able to trust this product. What a bloody waste of my time. I am swapping and I am not happy about it but there is no other choice. ClearOS and CentOS it will have to be.


You must be aware of this and the possible damage this denial could cause as currently the community council with blind allegiance are actually advising working concerns to swap to a system where there isn't a single module that works in entirety as the documentation states.


Its because of this I don't think it would be wise to trust Ubuntu for business critical platforms as reading between the lines this denial must be common place.


Stuart.



By: Matthijs
Reply  

Zentyal 3.2 is working like a charm here and I know there are many other organizations who use it as well, with success. Limerick city council (Ireland) just being one example.

 I, for one, am very, very happy Zentyal exists and it's proving to be a huge time and money saver for me. Thumbs up!

By: KK
Reply  

Zentyal 3.3 works for me as well. Using it for DNS and an Additional Domain Controller in a Server 2003 domain for a remote office.